Creating and Implementing an Access Control Policy

Most IT and Facilities teams understand the need to have an access control policy, it’s probably why you’re reading this right now. However, a lot of teams are looking for guidance on best practices and how to get buy-in from employees and leadership. This post will help you do both.

We’re going to cover the best practices and give you some tips about how to get employee buy-in to your security policy and get leadership to support and enforce your policies.

Why it’s important to have a documented and enforced access control policy

Physical access control systems and policies are critical to protecting employees, a company’s IP, trade secrets, and property. These things are the backbone of a company’s viability.

The basics of a physical security policy

Create a tiered access policy that matches your organizational units, their respective areas of responsibility in the organization, and their physical access to certain areas in your facilities.

Define who should have permanent access and who should have temporary access. It is not always as simple as: Employees vs. Non-Employees. When we get to that section, we’ll break down that assumption and challenge you to rethink this approach.

Employee training and enforcement. Creating a policy is wonderful, but if it’s not adhered to then it will ultimately be a waste of time and resources.

Visitor Management is more than just a handful of cards and a paper log book.

How do these policies and systems fit into your compliance picture?

Tiered Access Policy

Designing a tiered access policy can be done simply, the basic principle here is to match each organizational unit to the doors and areas they explicitly need access to. Here’s a matrix for reference:

Quick, but important points:

For compliance and general security purposes organizational units should not have overlapping access, no matter their seniority.

It’s tempting, but don’t let the IT team have blanket access to HR rooms, HIPPA compliant rooms, or other sensitive areas. This will flag auditors and could delay your compliance process.

If you’re using an identity management platform like Okta, Ping, SailPoint, or other, make sure you’re integrating it with your physical access control system and enable automated provisioning. It’s important to then design provisioning rules that match the organizational unit (OU) in your identity management system to your access groups in your access control system.

Breaking Down the Access Groups

Now that we’ve established our tiered access policy for each OU, it’s now time to breakdown the access groups for each OU and develop a policy for permanent vs. non-permanent access to your facilities.

Standard Employee Access

Often, companies will simply give out credentials with 24x7 access. This might be fine if you’re a small company or one that doesn’t have significant security requirements. However, since you have read this far, we can assume this means you do not fit that description.

We recommend restricting basic employee access to time frames that allow for early birds and night owls to get their work done when they want, but also restrict access to times when there are more than a handful of individuals in the office. One example might be from 5:45 a.m. to 9:00 p.m.

Why you ask? Here are a few reasons:

If an employee's credential is stolen or lost, it will prevent access during times when there aren’t security personnel or other employees on site.

Like the buddy system, having more than one person in the office at any given time reduces the likelihood of theft by intruders or even current employees.

Encourage people to get out of the office! Work is great, but having defined work hours will ensure employees live a balanced lifestyle that reduces burnout.

Contractors/Auditors - These types of visitors should be given a dedicated access card that includes their name and the company they work for. These guests typically have a defined time frame when they’ll need access. If you know this time frame make sure the credential issued is set to expire! Don’t leave it to chance or human memory to remember to deactivate their card.

One-time or short term visitors - We recommend not giving them a credential, opt for having them go through the facility with the person they’re meeting with.

Recurring visitors - These can be vendors like cleaners or caterers that come on a regular schedule. At minimum you’ll want to give them a badge that has limited door access and is associated with a specific individual’s name. Just having the company name is a recipe for confusion and limits your recourse if an incident occurs.

Employee Training and Awareness

Having physical security policies and procedures is wonderful, but if they’re not being enforced throughout the organization they will fail. One of the hardest, yet most critical, aspects of this is employee buy-in from the bottom of the organizational chart to the top. This is a difficult gap to bridge, but if you engage people from IT and HR to communicate to the entire organization why these policies are for their benefit, you’ll get the adoption you’re looking for. Ultimately, these policies are in place to protect your employees and the company more broadly.

Here are some ways to increase adoption of these policies:

Have HR incorporate a portion of the employee training and on-boarding process to demonstrating your policies and express why they’re important.

Dedicate a portion of time to discuss tailgating. Tailgating is when an employee holds the door open for others and is one of the simplest ways for an intruder to bypass your security measures. You should also post signs at major entry points to discourage this practice.

Use mobile credentials and enforce SSO + two factor authentication (2FA) for the highest level of physical credential protection.

Tips for compliance

Now that you’ve created a physical security policy. It’s important to document this policy and host it in a company Wiki. You’ll want summarize each aspect of the policy, such as the access group matrix, visitor management policies, where you log your data, who has access to the software system, and more.

If you’re using an identity management platform, make sure you integrate SAML SSO and setup automatic provisioning for lifecycle management. This will ensure you close critical failure points and are adhering to your compliance needs.

If you’re using a a security information and event management (SEIM) tool, like SumoLogic or Splunk, port your data and create a dashboard for tracking and logging activity across your suite of facilities.